Millions of WordPress sites have had to install emergency and forced security updates due to a vulnerability in a very popular add-on called UpdraftPlus, which allows steady users to make site backups.
The UpdraftPlus extension provides site owners with the ability to save a backup copy of their site databases, but it was famous that this add-on did not provide this feature only to site owners, but it is available to anyone who has a membership in the sites that support it – meaning that provided you are registered on a site that contains this add-on, You can back up the entire website on your device.
A Jetpack security researcher discovered this vulnerability during a plugin review, where Jetpack protects WordPress sites and security-tests plugins so they don’t cause breaches. While reviewing the extension, the researcher found that any registered user of the site can make a backup copy of the site and download its entire database.
The researcher then informed the developers of UpdraftPlus, who in turn sent forced updates to the 3 million-plus sites that had already installed the add-on.
Source: